The Iranian hacking group known as Infy, also referred to as Prince of Persia, has significantly evolved its tactics, shifting its command-and-control (C2) infrastructure to align with the recent easing of an internet blackout imposed by Iranian authorities. This strategic move suggests state sponsorship and a desire to evade detection while continuing its cyber espionage operations.
SafeBreach, a cybersecurity firm, observed a critical pause in Infy’s C2 server maintenance starting January 8, the same day Iran implemented a nationwide internet shutdown in response to protests. Activity resumed on January 26, 2026, with the deployment of new C2 infrastructure, a day prior to the relaxation of internet restrictions. This timing offers strong evidence of the group’s connection to the Iranian state.
Infy’s Evolving Cyber Espionage Tactics
Infy is a long-standing, lesser-known Iranian threat actor that has been operating since 2004. Unlike more prominent groups, Infy has maintained a low profile, focusing on highly targeted intelligence gathering operations. Its activities are aligned with Iran’s strategic geopolitical interests, encompassing espionage, sabotage, and influence operations.
In late 2025, SafeBreach detailed updated methods employed by Infy, including the use of refined versions of their custom malware families, Foudre and Tonnerre. The latter has been particularly noteworthy for its integration of a Telegram bot, likely used for command execution and data exfiltration. The most recent iteration of this malware, codenamed Tornado, now operates under version 51.
Between December 2025 and February 2026, Infy replaced the C2 infrastructure for all known versions of Foudre and Tonnerre. Tornado version 51 uniquely employs both HTTP and Telegram for its C2 communications. This dual approach is designed for enhanced flexibility in domain name generation and registration, potentially reducing the need for frequent malware updates.
New Attack Vectors and Malware Functionality
Evidence suggests Infy has begun leveraging a recently discovered 1-day vulnerability in WinRAR to deliver its Tornado payload. This change in attack vector aims to improve the success rate of its campaigns. Specially crafted RAR archives exploiting this flaw were uploaded to VirusTotal in mid-December 2025, hinting at potential targets in countries like the United States and Israel.
Within the weaponized RAR archives are self-extracting archives (SFX) containing two crucial components: AuthFWSnapin.dll, the primary Tornado version 51 DLL, and reg7989.dll. The latter acts as an installer, checking for the absence of Avast antivirus software. If Avast is not present, it establishes persistence by creating a scheduled task before executing the Tornado DLL.
Tornado initiates communication with its C2 server via HTTP to download and execute the main backdoor and gather system information. Alternatively, when Telegram is utilized as the C2 method, Tornado employs the bot API to exfiltrate system data and receive further instructions.
The group’s use of Telegram has seen minor adjustments. While version 50 utilized a specific Telegram group and bot, the latest iteration features a new user handle for Telegram interactions. While a Telegram bot member typically lacks broad chat permissions, SafeBreach gained access to messages within a private Telegram group, revealing exfiltrated files and encoded commands sent to Tonnerre since early 2025.
Analysis of this Telegram data has uncovered a malicious ZIP file that deploys ZZ Stealer, a component that loads a custom variant of the StormKitty infostealer. This ZZ Stealer attack chain exhibits a strong correlation with a campaign targeting the Python Package Index (PyPI) repository, specifically with a package named “testfiwldsd21233s,” intended to distribute an earlier version of ZZ Stealer and exfiltrate data via Telegram.
Additionally, SafeBreach noted a weaker potential linkage between Infy and Charming Kitten (also known as Educated Manticore), possibly due to shared tactics such as the use of ZIP and Windows Shortcut (LNK) files, and a PowerShell loader technique. ZZ Stealer appears to function as a first-stage malware, gathering environmental data, screenshots, and exfiltrating desktop files. Upon receiving a specific command from the C2 server, it downloads and executes a second-stage malware, also referred to as “8==3” by the threat actor.
The continued evolution of Infy’s infrastructure and malware, particularly its adoption of sophisticated domain generation algorithms and Telegram integration, indicates a persistent and adaptive threat. The group’s actions suggest ongoing efforts to maintain operational security and conduct espionage against targeted entities. Future activity will likely focus on refining these tactics to maintain stealth and exploit emerging vulnerabilities.